By Brian Dunn
Cyber attacks in the shipping industry are on the rise, with ransomware attacks on shipping firms tripling between 2019 and 2020, according to a report by cybersecurity company BlueVoyant. Hackers say ships are easy targets as they can get in through a wireless keyboard, an unguarded printer or by reading a service user manual to exploit weaknesses, the report adds. As ships embrace digital communications in day-to-day operations, through such things as downloading emails, operating manuals, maintenance procedures or crew lists, they become more vulnerable, according to a webinar by BLG entitled Rough Seas Ahead: Cyber security in the Maritime World.
Systems at risk include navigational systems with hackers sending false navigational information to the crew, sending the ship off course or send false information on the ship’s location to a team onshore, affecting its safety and security.
“Communications systems are also heavily targeted. You can stop a ship from sending or receiving messages,” suggested Jean-Marie Fontaine, National Leader, Shipping Group, BLG. “You can have intentional disclosure of security related or sensitive commercial information due to hacking which could lead to a financial loss or extortion which could damage a company’s reputation. CMA-CGM was the subject of such an attack, but it’s not the only one.”
During the last four years, five of the world’s largest shipping lines were targets of ransomware attacks. However, the shipping industry has started to react. Since January 1, the International Maritime Organization (IMO) has required shipowners and operators to integrate cyber risk management into their security initiatives. In addition, IMO guidelines provide recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats. The recommendations can be incorporated into existing risk management processes and complement safety and security management practices already establish by the IMO. And cyber security could become an element of the seaworthiness of a ship.
Closer to home, Transport Canada’s Marine Transportation Security regulations do not address cyber security directly. Instead, TC issued a Marine Security Bulletin last March simply imposing reporting requirements regarding such threats, but it does not impose cyber security standards. TC is currently consulting with the industry to develop new regulations or make changes to its security regulations to address cyber security threats based on IMO guidelines.
A new research centre, the Maritime Cyber Security Centre of Excellence, has been created at Montreal’s École Polytechnique and will combine the expertise of two Quebec researchers, namely Neptune Cyber and Davie Shipbuilding.
A cargo ship is essentially a network of computers travelling around the globe while transporting merchandise, according to Jeremy Citone, CEO, Neptune Cyber which specializes in marine cyber security. The biggest challenge for the industry is connectivity and without updates, a ship becomes vulnerable to cyber attacks. And any flaws in a network can be exploited.
“One myth is that you’re not a target. Maybe not specifically, but you can be caught up in a cyber attack due to the vulnerability of your security system. Another myth is that systems are built to be secure, but equipment manufacturers are not security specialists and simple mistakes can have unintended consequences.
“A personal computer can be connected to the same network as the engine computer which is a fundamental problem in the maritime field. It’s very important for the industry that a standard be established. This year we saw the establishment of IMO guidelines which will start to raise awareness.”
Neptune was involved in the design of a ship at the information technology level. It separated the systems into IT (information technology) and OT (operational technology) networks. The segregation allowed overall better security as the OT network isn’t connected to the internet and it is not an expensive undertaking. The concept is not new – it has been around for decades on shore, and now it is being applied in ships.
Remote monitoring can often help solve an onboard problem, but this capability is not without risks, as both the ship and the service provider must have secure communications. “Look at everything, not just what’s on board. Find out what your entire supply chain looks like in terms of security. We have to train our crew and train people on shore to fight against a simple cyber threat, so we can ensure that our ships are adequately protected against an attack,” said Mr. Citone.
Business losses due to cyber crime data breaches will increase from US$3 billion this year to over US$5 billion in 2024, according to Juniper Research. And ransomware made up 81 per cent of financially motivated cyber attacks last year, with the average cost of each attack at $4.4 million, noted Atlas VPN. The best way to protect your company from attacks is to have an incident response plan that is consistent with regulatory guidance and industry best practices, according to Julie Gauthier, Counsel, BLG.
“Incident response testing and training can help ensure that an incident response plan is up to date and the equipment/systems/team are in a state of readiness.” Incident response often requires communicating to internal and external stakeholders such as employees, shareholders, customers and partners, including warnings to help avoid or mitigate harm.
Access to secure and reasonably current backup systems could help to avoid paying a ransom. If making a payment is unavoidable, retain a ransomware expert to negotiate with the cybercriminals, conduct appropriate due diligence for compliance with terrorist financing and economic sanction laws and facilitate the ransom payment.
“More and more companies require their service providers to carry insurance against cyber risks. The cost of a breach can be enormous, so having cyber insurance is not risky these days.”